CRITICAL: Incomplete user deletion - orphaned data risk
CRITICAL: SMTP password stored in plaintext in SQLite
CRITICAL: Async route handlers lack try/catch - unhandled rejections crash process
cycle_type and billing_cycle not acted on in statusService
updateCheckService.js Forgejo URL is hard-coded with no env override
Bill grouping and reorganization API
UI for defining recurring bill generation rules
LOW: Auto-generated encryption key stored in same SQLite database as encrypted data
LOW: OIDC client secret stored in plaintext in user_settings table
LOW: Login rate limiter bypassed when no users exist (first-run timing window)
LOW: CORS_ORIGIN accepts comma-separated origins without URL validation
LOW: LIVE constant interpolated into SQL queries in payments.js
MEDIUM: CSRF cookie defaults to httpOnly=false - XSS bypasses CSRF protection
MEDIUM: Admin routes use req.params.id without integer validation
MEDIUM: No pagination on core list endpoints - returns all records
MEDIUM: TrackerPage.jsx is 2386 lines with 44 hooks - maintainability and re-render risks